Well, of course. ROI has enormous problems, including an assumption that technology works out, that there’s an infinite pool of free capital to draw on, etc. Techniques such as economic value add allow you to take some of these into account. But the biggest problem is that quantifying the cost of a breach is hard. Without knowing what the alternative is (to reserve or insure), its hard to justify much security spending. [Emphasis added.]

What I meant is not that ROI is impossible, but that there are better tools to use, even when you can quantify the costs. I’m in favor of quantifying costs and doing economic analysis. ROI, for example, doesn’t help you distinguish between two projects with an ROI of 100%. If one costs $1m, and returns 20% a year for the 5 year expected life of the project, and another costs $300,000, and has a 1 year return of $300,000, then the ROI is the same.

So yes, patch management and better password management are probably rational investments, and there are better ways to show that than ROI.